subscribe: Daily Newsletter
search the site
Protect your Web site and your reputation
Vulnerable Web sites aren’t just a reputation risk – they leave an open door to your backend systems and company data. The days of the enterprise Web site serving as a static “billboard” are long gone. Now, Web sites are a valuable brand ambassador, and crucially, they are often also a channel to market and a conduit to the enterprise back-end systems, says Jonas Thulin, security consultant at Fortinet.
In some cases, your site IS your business. Unfortunately, many South African companies still overlook the importance of effectively securing their Web sites.
A Web site’s greatest strength is also its greatest weakness – it is accessible to everyone. This makes a Web site a natural target for the cybercriminal, hacker or hacktivist. Compounding this challenge is the fact that competition and business goals may drive Web developers and designers to push site updates without proper security testing.
Regardless of the reason for the vulnerabilities or the motivation of attackers, a compromised Web site has serious implications – loss of revenue, negative impact to a company’s reputation and theft of sensitive information such as credit card numbers and personal data.
In South Africa, most of the high profile hacks recently have been hacktivist-style attacks on controversial or high-profile organisations. We’ve seen the defacement of the AARTO and Department of Health sites, the hack of the SAPS informants’ database, and the hacking of the Johannesburg City billing system, among others. These are just the widely-known cases.
Unless cases go to court or are publicised, corporates are not likely to draw attention to site breaches.
In many cases, it requires extensive and careful forensic work to determine the extent of the breach if a site has been hacked. It is for good reason that hackers use the phrase “you’ve been owned” when they breach Web site security.
Challenges in securing Web applications
The Verizon 2012 Data Breach report says that while network security is relatively straightforward − define security policies to allow/block specific traffic to and from different networks/servers – Web sites are made up of hundreds, and sometimes thousands, of different elements including URLs, parameters and cookies. Manually creating different policies for each of these items is almost impossible and obviously does not scale.
In addition, Web sites change frequently with new URLs and parameters being added, making it difficult for security administrators to update security policies.
The difficulty in protecting a Web site is further compounded by the on-going discovery of software vulnerabilities of the actual Web site and the applications running on it, challenges in developing and applying updates, code revisions and updates, and time-to-market pressure.
Adding to this already complicated environment is the fact that behind most Web sites is a distributed infrastructure of servers for the actual Web site, its applications and databases, increasing the difficulty of securing these key elements.
The end result is that just like traditional applications and operating systems are considered inherently vulnerable, Web-based applications cannot be assumed to be secure − they require independent security measures.
Protecting your online assets
* Secure coding practices and code reviews – developing Web applications securely and implementing a secure coding practice as part of the development life cycle should be an integral part of application development projects. By following the guidelines recommended by the Open Web Application Security Project (OWASP) and other bodies, users could build a more secure and trusted application. Once developed, the code should be reviewed by an independent third party.
* Perform Web Application vulnerability assessment/penetration testing – applications should either be reviewed manually or through automated application vulnerability assessment tools to identify vulnerabilities. This could be further followed up with specific application penetration testing exercises for critical applications.
* Utilise a Web application firewall – a Web application firewall (WAF) allows organisations to detect and block application layer attacks. Such a specialised firewall is needed in addition to conventional network security solutions because traditional firewalls are designed to detect and combat attacks at the network and network port levels, not the application level.
By complementing an existing network firewall with a WAF, you can address the unique requirements of Web based applications and increase the overall security level of the network.
Many variations of WAFs exist today. Fortinet’s FortiWeb appliance, for instance, combines a WAF with XML Firewall capabilities in a single platform with several add-on modules like Vulnerability Scanning, Application Acceleration and Server Load Balancing that further complement the basic capabilities offered.